我可以在 Apache Shiro 安全注释中使用表达式吗?
我一直在 Apache Shiro 和 Spring Security 之间进行一些比较 - 我真的很喜欢 Shiro 使用的安全模型,并相信它比 Spring Security 干净得多。
然而,一大好处是能够从方法级安全注释中引用方法参数。例如,现在我可以这样:
@RequiresPermissions("account:send:*")
public void sendEmail( EmailAccount account, String to, String subject, String message) { ... }
在此示例的上下文中,这意味着经过身份验证的用户必须有权在电子邮件帐户上发送电子邮件。
然而,这还不够细粒度,因为我想要实例级别的权限!在此上下文中,假设用户可以拥有电子邮件帐户实例的权限。因此,我想将前面的代码编写为如下所示:
@RequiresPermissions("account:send:${account.id}")
public void sendEmail( EmailAccount account, String to, String subject, String message) { ... }
通过这种方式,权限字符串引用传递到方法中的参数,以便可以针对 EmailAccount 的特定实例保护该方法。
我知道我可以轻松地通过方法中的纯 Java 代码来完成此操作,但使用注释来实现相同的效果会很棒 - 我知道 Spring Security 在其注释中支持 Spring EL 表达式。
这绝对不是 Shiro 的功能吗?因此我必须编写自己的自定义注释吗?
谢谢,
安德鲁
I've been doing some comparisons between Apache Shiro and Spring Security - I'm really loving the security model that Shiro uses and believe it to be far cleaner that Spring Security.
However, one big nice-to-have would be to be able to reference method parameters from within the method-level security annotations. For example, right now I could so something like:
@RequiresPermissions("account:send:*")
public void sendEmail( EmailAccount account, String to, String subject, String message) { ... }
Within the context of this example, this means that the authenticated user must have the permission to send emails on email accounts.
However, this is not fine-grained enough, as I want instance level permissions! In this context, assume that users can have permissions on instances of email accounts. So, I'd like to write the previous code something like this:
@RequiresPermissions("account:send:${account.id}")
public void sendEmail( EmailAccount account, String to, String subject, String message) { ... }
In this way, the permission string is referencing a parameter passed into the method such that the method can be secured against a particular instance of EmailAccount.
I know I could easily do this from plain Java code within the method, but it would be great to achieve the same thing using annotations - I know Spring Security supports Spring EL expressions in its annotations.
Is this definitely not a feature of Shiro and thus will I have to write my own custom annotations?
Thanks,
Andrew
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
查看 http 中的类: //shiro.apache.org/static/current/apidocs/org/apache/shiro/authz/aop/package-summary.html,尤其是
PermissionAnnotationHandler。在那里你可以看到,当遇到 @RequiresPermissions 注释时,Shiro 所做的一切都是调用 getSubject().isPermission(permission) ,并且在注释值中根本不进行任何替换。如果您想要这种功能,则必须以某种方式覆盖该处理程序。所以回答你的问题:是的,这绝对不是 Shiro 的功能,你必须编写自己的注释或以某种方式覆盖该处理程序。
Look at the classes in http://shiro.apache.org/static/current/apidocs/org/apache/shiro/authz/aop/package-summary.html, especially
PermissionAnnotationHandler. There you can see that all Shiro does when encountering the@RequiresPermissionsannotation is callgetSubject().isPermitted(permission)and does no substitution inside the annotation value at all. You would have to somehow override that handler if you wanted this kind of functionality.So to answer your question: yes, this is definitely not a feature of Shiro and you have to either write your own annotation or somehow override that handler.
Shiro 目前不支持此功能。许多人请求此功能。也许我们可以投票支持这个问题?
https://issues.apache.org/jira/browse/SHIRO-484
https://issues.apache.org/jira/browse/SHIRO-77
<一href="https://issues.apache.org/jira/browse/SHIRO-417" rel="nofollow">https://issues.apache.org/jira/browse/SHIRO-417
https://issues.apache.org/jira/browse/SHIRO-331
This feature is currently not supported by Shiro. Multiple people have requested this feature. Perhaps we can vote for the issue?
https://issues.apache.org/jira/browse/SHIRO-484
https://issues.apache.org/jira/browse/SHIRO-77
https://issues.apache.org/jira/browse/SHIRO-417
https://issues.apache.org/jira/browse/SHIRO-331